Links

SentinelOne Logs

Connecting SentinelOne Cloud Funnel logs to your Panther Console

Overview

Panther supports the following log types from SentinelOne:

How to onboard SentinelOne API Activity logs to Panther

The instructions below apply to SentinelOne API Activity logs. For instructions on how to onboard SentinelOne Cloud Funnel logs, see the next section: How to onboard SentinelOne Deep Visibility logs to Panther.
SentinelOne API Activity logs are in closed beta as of 1.49. Please reach out to your Panther Support team if you are interested in participating in the beta.

Prerequisites

  • You will need an API Token from a Service User that has the Viewer role in your SentinelOne account.

Create a SentinelOne Service User + API Token

  1. 1.
    Log in to your SentinelOne Dashboard.
  2. 2.
    In the left sidebar menu, click Settings.
  3. 3.
    At the top of the Settings page, click the Users tab.
    In SentinelOne, the Settings icon is highlighted in the left sidebar menu and the "Users" tab is circled at the top.
  4. 4.
    On the left side of the Users page, click Service Users.
  5. 5.
    Click the Actions dropdown, then click Create New Service User.
    On the Settings page, "Service Users" is highlighted on the left. The Actions dropdown menu is expanded, and the "Create New Service User" option is highlighted.
  6. 6.
    On the "Create New Service User" page, enter a name and a description, choose an expiration date, then click Next.
    The "Create a new service user" page has fields for Name and Description, and a dropdown menu to choose an expiration date.
  7. 7.
    On the "Select Scope of Access" page, configure the following:
    • Access Level: Account
    • Account selected: Ensure you have selected the correct account and that the role is set to Viewer.
  8. 8.
    Click Create User.
  9. 9.
    Copy the API Token and store it in a secure location, as you will need to provide to Panther in the next part of the log source onboarding process.

Create a new SentinelOne API source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Configure > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Select SentinelOne API from the list of available log sources. Click Start Source Setup.
  5. 5.
    Configure the SentinelOne API source:
    • Name: Enter a descriptive name for the source, e.g., SentinelOne API
    • SentinelOne API Organization: Enter the subdomain of your SentinelOne account. To find this value, log in to your SentinelOne Dashboard and copy the subdomain from the URL.
      • For example, if your dashboard URL is https://example-domain.sentinelone.net/dashboard, your subdomain would be example-domain.
    • API Token: Enter the token of your Service User that you copied in the previous steps of this documentation.
  6. 6.
    Click Setup.
  7. 7.
    You will be directed to a confirmation screen where you can set up a log drop-off alarm.
    • This feature sends an error message if logs aren't received within a specified time interval.
  8. 8.
    Click Finish Setup.

How to onboard SentinelOne Cloud Funnel Deep Visibility logs to Panther

Cloud Funnel v1.0 is in open beta as of Panther version 1.47, and will be deprecated mid-2023.
Cloud Funnel v2.0 is in open beta as of Panther version 1.52. Please share any bug reports and feature requests with your account team.
Cloud Funnel v1.0 (open beta)
Cloud Funnel v2.0 (open beta)

Prerequisites

  • You must subscribe with SentinelOne to get a constant stream of your Deep Visibility events.
    • When you subscribe, SentinelOne's support agents will provide the export schema, the topic name, the ARN for the SentinelOne-managed SQS queue, the AWS access key, and the AWS access secret.

Create a new SentinelOne Cloud Funnel source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Configure > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Select SentinelOne Cloud Funnel from the list of available log sources. Click Start Source Setup.
  5. 5.
    Fill in the fields below:
    • Name: Enter a descriptive name for the source e.g. SentinelOne Cloud Funnel.
    • SQS Queue ARN: Enter the ARN for the SentinelOne-managed SQS queue.
    • AWS Access Key: Enter the AWS access key that the SentinelOne support agents gave to you.
    • AWS Access Secret: Enter the AWS access secret that the SentinelOne support agents gave to you.
      The image shows the SentinelOne Cloud Funnel source configuration page.
  6. 6.
    Click Continue Setup.
  7. 7.
    You will be directed to a confirmation screen where you can set up a log drop-off alarm.
    • This feature sends an error message if logs aren't received within a specified time interval.
  8. 8.
    Click Finish Setup.
  1. 1.
    Set up your Data Transport in the Panther Console.
  2. 2.
    Configure SentinelOne to push logs to the Data Transport source.

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

SentinelOne.Activity

Activity events from the SentinelOne API.
schema: SentinelOne.Activity
parser:
native:
name: SentinelOne.Activity
description: Get the activities, and their data, that match the filters. We recommend that you set some values for the filters.
referenceURL: https://usea1-partners.sentinelone.net/api-doc/api-details?category=activities&api=get-activities
fields:
- name: accountId
description: Account id
type: string
- name: accountName
description: Account Name
type: string
- name: activityType
required: true
description: Activity Type
type: int
- name: activityUuid
description: Activity UUID
type: string
- name: agentId
description: Related Agent Id
type: string
- name: agentUpdatedVersion
description: Agents updated version
type: string
- name: comments
description: Comments
type: string
- name: createdAt
description: Activity creation time (UTC)
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: data
description: Event specific data. It can have following possible fields accountid, accountname, action, actoralternateid, agentipv4, alertid, alertprocessname, alertscounter, application, applicationtype, attr, bundlemessage, byuser, changedkeys, commandbatchuuid, commandid, computername, confidencelevel, createdat, createdbyusername, current, datasourcename, deactivationperiodindays, description, detectedat, direction, disabledlevel, dnsrequest, dnsresponse, downloadurl, dstip, dstport, dveventid, dveventtype, email, enabledreason, error, escapedmaliciousprocessarguments, eventcategory, eventdetails, eventexternalid, eventtime, exclusiontype, expiration, expirationmessage, expirydatestr, expirytime, externalip, externalip, externalthreatvalue, filecontenthash, filedisplayname, filename, filepath, fullscopedetails, fullscopedetailspath, group, groupid, groupname, grouptype, indicatorcategory, indicatordescription, indicatorname, initiatedbyname, ipaddress, k8sclustername, k8scontainerid, k8scontainerimage, k8scontainerlabels, k8scontainername, k8scontrollerkind, k8scontrollerlabels, k8scontrollername, k8snamespace, k8snamespacelabels, k8snode, k8spod, k8spodlabels, key, licensesdescription, localhost, localhosttype, localports, localporttype, locationnames, loginaccountdomain, loginaccountsid, loginisadministratorequivalent, loginissuccessful, loginsusername, logintype, majorversion, minorversion, modulemessage, modulepath, modulesha1, namechange, namemessage, neteventdirection, networkquarantine, newincidentstatus, newincidentstatustitle, newstatus, newvalue, noteaction, notedetails, oldaccountname, olddescription, oldincidentstatus, oldincidentstatustitle, oldkey, oldrulename, oldsitename, oldstatus, oldvalue, optionalgroups, order, origagentmachinetype, origagentmachinetype, origagentname, origagentname, origagentosfamily, origagentosfamily, origagentosname, origagentosname, origagentosrevision, origagentosrevision, origagentsiteid, origagentuuid, origagentuuid, origagentversion, origagentversion, originalstatus, osarch, osfamily, ostypes, packageid, physical, platformtype, policy, policyname, previous, protocol, reason, recoveryemail, registrykeypath, registryoldvalue, registryoldvaluetype, registrypath, registryvalue, remotehost, remotehosttype, remoteports, remoteporttype, reportlog, reportmgmt, role, rolename, rulecreationtime, ruledescription, ruleexpirationmode, ruleid, rulename, rulequerydetails, rulequerytype, rulescopeid, rulescopelevel, ruleseverity, scopeid, scopelevel, scopelevelname, scopename, setting, settingmessage, severity, siteexpiration, siteid, sitename, source, sourcename, sourceparentprocesscommandline, sourceparentprocessintegritylevel, sourceparentprocesskey, sourceparentprocessmd5, sourceparentprocessname, sourceparentprocesspath, sourceparentprocesspid, sourceparentprocesssha1, sourceparentprocesssha256, sourceparentprocesssigneridentity, sourceparentprocessstarttime, sourceparentprocessstoryline, sourceparentprocesssubsystem, sourceparentprocessusername, sourceprocesscommandline, sourceprocessfilehashmd5, sourceprocessfilehashsha1, sourceprocessfilehashsha256, sourceprocessfilepath, sourceprocessfilesigneridentity, sourceprocessintegritylevel, sourceprocesskey, sourceprocesskey, sourceprocessmd5, sourceprocessname, sourceprocesspid, sourceprocesssha1, sourceprocesssha256, sourceprocessstarttime, sourceprocessstoryline, sourceprocesssubsystem, sourceprocessusername, srcip, srcmachineip, srcport, status, storyline, system, systemuser, tagid, tagnames, tags, tgtfilecreatedat, tgtfilehashsha1, tgtfilehashsha256, tgtfileid, tgtfileissigned, tgtfilemodifiedat, tgtfileoldpath, tgtfilepath, tgtproccmdline, tgtprocessstarttime, tgtprocimagepath, tgtprocintegritylevel, tgtprocname, tgtprocpid, tgtprocsignedstatus, tgtprocstorylineid, tgtprocuid, threatalreadyexists, threatclassification, threatclassificationsource, tiindicatorcomparisonmethod, tiindicatorsource, tiindicatortype, tiindicatorvalue, treatasthreat, type, updatedescriptionmessage, updatenameanddescriptionmessage, updatenamemessage, uploadedfilename, userid, username, userscope, uuid, value, version
type: json
- name: description
description: Event description
type: string
- name: groupId
description: Related group id
type: string
- name: groupName
description: Related group name
type: string
- name: hash
description: Threat file hash
type: string
- name: id
required: true
description: Activity id
type: string
indicators:
- trace_id
- name: osFamily
description: Agent's OS type
type: string
- name: primaryDescription
description: Primary activity description
type: string
- name: secondaryDescription
description: Secondary activity description
type: string
- name: siteId
description: Related site id
type: string
- name: siteName
description: Related site name
type: string
- name: threatId
description: Related threat id
type: string
- name: updatedAt
description: Activity last updated time (UTC)
type: timestamp
timeFormats:
- rfc3339
- name: userId
description: User who invoked the activity
type: string

SentinelOne.DeepVisibility

Deep Visibility events from the SentinelOne services.
schema: SentinelOne.DeepVisibility
parser:
native:
name: SentinelOne.DeepVisibility
description: Deep Visibility events from the SentinelOne services
referenceURL: https://usea1-partners.sentinelone.net/docs/en/cloud-funnel--subscribing-to-your-edr-events.html#cloud-funnel--hermes--event-types
fields:
- name: '@timestamp'
description: Event timestamp
type: timestamp
timeFormat: unix_ms
isEventTime: true
- name: meta
description: Event metadata
type: object
fields:
- name: traceId
description: Event trace id
type: string
indicators:
- trace_id
- name: accountId
description: Account id
type: string
- name: osFamily
description: OS family
type: string
- name: computerName
description: Computer name
type: string
- name: agentVersion
description: Agent version
type: string
- name: siteId
description: Site id
type: string
- name: osRevision
description: OS version
type: string
- name: osName
description: OS Name
type: string
- name: uuid
description: UUID
type: string
- name: seqId
description: Sequence id
type: int
- name: machineType
description: Machine type
type: string
- name: mgmtUrl
description: SentinelOne management URL
type: string
indicators:
- url
- name: event
description: Event data
type: object
fields:
- name: appName
description: App name
type: string
- name: content
description: Script content
type: string
- name: contentHash
description: Script content hash
type: object
fields:
- name: sha1
description: Sha1 hash
type: string
indicators:
- sha1
- name: sha256
description: sha256 hash
type: string
indicators:
- sha256
- name: md5
description: md5 hash
type: string
indicators:
- md5
- name: decodedContent
description: Decoded content
type: string
- name: desiredAccess
description: Desired access
type: int
- name: exitCode
description: Process termination exit code
type: bigint
- name: indicator
description: Indicator name
type: string
- name: longDescription
description: Indicator description
type: string
- name: md5
description: MD5 hash
type: string
indicators:
- md5
- name: metadata
description: Behavioral indicators event metadata
type: string
- name: method
description: Http event method
type: string
- name: newValueData
description: New registry value
type: string
- name: newValueType
description: New registry value type
type: int
- name: description
description: Event description
type: string
- name: tactics
description: Tactics
type: array
element:
type: object
fields:
- name: techniques
description: list of techniques
type: array
element:
type: object
fields:
- name: name
description: Technique name
type: string
- name: link
description: link
type: string
indicators:
- url
- name: name
description: name
type: string
- name: source
description: Source
type: string
- name: category
description: Category
type: string
- name: classification
description: Event classification
type: string
- name: friendlyName
description: Friendly name
type: string
- name: file
description: File information
type: object
fields:
- name: owner
description: Owner identity
type: object
fields:
- name: name
description: Process user name
type: string
indicators:
- username
- name: sid
description: System identifier
type: string
- name: node
description: Node info
type: json
- name: path
description: File path
type: string
- name: creationTime
description: File creation time
type: json
- name: signature
description: File signature
type: json
- name: hashes
description: File hashes
type: object
fields:
- name: sha1
description: Sha1 hash
type: string
indicators:
- sha1
- name: sha256
description: sha256 hash
type: string
indicators:
- sha256
- name: md5
description: md5 hash
type: string
indicators:
- md5
- name: pUnix
description: punix
type: string
- name: fileLocation
description: File location
type: string
- name: isKernelModule
description: File is kernel module
type: string
- name: isDir
description: File is directory
type: string
- name: sizeBytes
description: File size in bytes
type: bigint
- name: oldHashes
description: Old file hashes
type: object
fields:
- name: sha1
description: Sha1 hash
type: string
indicators:
- sha1
- name: sha256
description: sha256 hash
type: string
indicators:
- sha256
- name: md5
description: md5 hash
type: string
indicators:
- md5
- name: oldValueData
description: Old registry value data
type: string
- name: oldValueType
description: Old registry value type
type: bigint
- name: isKernelModule
description: Is file a kernel module
type: string
- name: osSourceParent
description: OS source process parent info
type: object
fields:
- name: parent
description: Parent process info
type: object
fields:
- name: excluded
description: Is process excluded
type: string
- name: node
description: Process node
type: json
- name: isRedirectedCommandProcessor
description: Is redirected command line
type: string
- name: root
description: Process root
type: string
- name: interactive
description: Process is interactive
type: string
- name: name
description: Process name
type: string
- name: subsystem
description: Process subsystem
type: string
- name: fullPid
description: Full pid
type: json
- name: isWow64
description: Is wow64
type: string
- name: sessionId
description: Session id
type: bigint
- name: commandLine
description: Command line
type: string
- name: integrityLevel
description: Process integrity level
type: string
- name: trueContext
description: Process true context
type: json
- name: counters
description: Process event type counter
type: json
- name: interactive
description: Process is interactive
type: string
- name: subsystem
description: Process subsystem
type: string
- name: sessionId
description: Session id
type: bigint
- name: executable
description: Executable information
type: object
fields:
- name: owner
description: Executable owner identity
type: object
fields:
- name: name
description: Process user name
type: string
indicators:
- username
- name: sid
description: System identifier
type: string
- name: node
description: Executable node information
type: json
- name: path
description: Executable path
type: string
- name: creationTime
description: Creation time
type: json
- name: signature
description: Executable signature
type: json
- name: hashes
description: Executable hashes
type: object
fields:
- name: sha1
description: Sha1 hash
type: string
indicators:
- sha1
- name: sha256
description: sha256 hash
type: string
indicators:
- sha256
- name: md5
description: md5 hash
type: string
indicators:
- md5
- name: pUnix
description: PUnix field
type: string
- name: fileLocation
description: File location
type: string
- name: isKernelModule
description: Executable is kernel module
type: string
- name: isDir
description: Is Directory
type: string
- name: sizeBytes
description: Executable size in bytes
type: bigint
- name: excluded
description: Is process excluded
type: string
- name: node
description: Process node
type: json
- name: isRedirectedCommandProcessor
description: Is redirected command line
type: string
- name: root
description: Process root
type: string
- name: name
description: Process name
type: string
- name: fullPid
description: Full pid
type: json
- name: isWow64
description: Is wow64
type: string
- name: commandLine
description: Command line
type: string
- name: integrityLevel
description: Process integrity level
type: string
- name: user
description: User identity
type: object
fields:
- name: name
description: Process user name
type: string
indicators:
- username
- name: sid
description: System identifier
type: string
- name: osSource
description: OS source process info
type: object
fields:
- name: trueContext
description: true context
type: json
- name: counters
description: Event type counter
type: json
- name: interactive
description: Is interactive
type: string
- name: subsystem
description: subsystem
type: string
- name: sessionId
description: Session id
type: bigint
- name: executable
description: Source executable
type: object
fields:
- name: owner
description: Executable owner identity
type: object
fields:
- name: name
description: Process user name
type: string
indicators:
- username
- name: sid
description: System identifier
type: string
- name: node
description: Executable node information
type: json
- name: path
description: Executable path
type: string
- name: creationTime
description: Creation time
type: json
- name: signature
description: Executable signature
type: json
- name: hashes
description: Executable hashes
type: object
fields:
- name: sha1
description: Sha1 hash
type: string
indicators:
- sha1
- name: sha256
description: sha256 hash
type: string
indicators:
- sha256
- name: md5
description: md5 hash
type: string
indicators:
- md5
- name: pUnix
description: PUnix field
type: string
- name: fileLocation
description: File location
type: string
- name: isKernelModule
description: Executable is kernel module
type: string
- name: isDir
description: Is Directory
type: string
- name: sizeBytes
description: Executable size in bytes
type: bigint
- name: excluded
description: Is excluded
type: string
- name: node
description: Node
type: json
- name: isRedirectedCommandProcessor
description: Is redirected command processor
type: string
- name: root
description: root
type: string
- name: name
description: name
type: string
- name: fullPid
description: full pid
type: json
- name: isWow64
description: Is wow64
type: string
- name: commandLine
description: command line
type: string
- name: integrityLevel
description: Integrity level
type: string
- name: user
description: User identity
type: object
fields:
- name: name
description: Process user name
type: string
indicators:
- username
- name: sid
description: System identifier
type: string
- name: owner
description: Owner identity
type: object
fields:
- name: name
description: Process user name
type: string
indicators:
- username
- name: sid
description: System identifier
type: string
- name: originalSize
description: Original script size
type: string
- name: path
description: Module load path
type: string
- name: parent
description: Parent process info
type: object
fields:
- name: parent
description: Parent process info
type: object
fields:
- name: excluded
description: Is process excluded
type: string
- name: node
description: Process node
type: json
- name: isRedirectedCommandProcessor
description: Is redirected command line
type: string
- name: root
description: Process root
type: string
- name: interactive
description: Process is interactive
type: string
- name: name
description: Process name
type: string
- name: subsystem
description: Process subsystem
type: string
- name: fullPid
description: Full pid
type: json
- name: isWow64
description: Is wow64
type: string
- name: sessionId
description: Session id
type: bigint
- name: commandLine
description: Command line
type: string
- name: integrityLevel
description: Process integrity level
type: string
- name: trueContext
description: Process true context
type: json
- name: counters
description: Process event type counter
type: json
- name: interactive
description: Process is interactive
type: string
- name: subsystem
description: Process subsystem
type: string
- name: sessionId
description: Session id
type: bigint
- name: executable
description: Executable information
type: object
fields:
- name: owner
description: Executable owner identity
type: object
fields:
- name: name
description: Process user name
type: string
indicators:
- username
- name: sid
description: System identifier
type: string
- name: node
description: Executable node information
type: json
- name: path
description: Executable path
type: string
- name: creationTime
description: Creation time
type: json
- name: signature
description: Executable signature
type: json
- name: hashes
description: Executable hashes
type: object
fields:
- name: sha1
description: Sha1 hash
type: string
indicators:
- sha1
- name: sha256
description: sha256 hash
type: string
indicators:
- sha256
- name: md5
description: md5 hash
type: string
indicators:
- md5
- name: pUnix
description: PUnix field
type: string
- name: fileLocation
description: File location
type: string
- name: isKernelModule
description: Executable is kernel module
type: string
- name: isDir
description: Is Directory
type: string
- name: sizeBytes
description: Executable size in bytes
type: bigint
- name: excluded
description: Is process excluded
type: string
- name: node
description: Process node
type: json
- name: isRedirectedCommandProcessor
description: Is redirected command line
type: string
- name: root
description: Process root
type: string
- name: name
description: Process name
type: string
- name: fullPid
description: Full pid
type: json
- name: isWow64
description: Is wow64
type: string
- name: commandLine
description: Command line
type: string
- name: integrityLevel
description: Process integrity level
type: string
- name: user
description: User identity
type: object
fields:
- name: name
description: Process user name
type: string
indicators:
- username
- name: sid
description: System identifier
type: string
- name: process
description: Process info
type: object
fields:
- name: parent
description: Parent process info
type: object
fields:
- name: excluded
description: Is process excluded
type: string
- name: node
description: Process node
type: json
- name: isRedirectedCommandProcessor
description: Is redirected command line
type: string
- name: root
description: Process root
type: string
-